it system controls n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IT System Controls PowerPoint Presentation
Download Presentation
IT System Controls

Loading in 2 Seconds...

play fullscreen
1 / 61

IT System Controls

7 Vues Download Presentation
Télécharger la présentation

IT System Controls

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. IT System Controls Presented By Steve Cornell and Nadine Kilcullen

  2. Why We’re Here. • Roslyn School District • CPA Audits • Long-term IT Plan

  3. Audit Objectives • Are IT controls appropriately designed (and placed in operation)? • Are IT controls operating effectively? • … to safeguard assets from loss or misuse

  4. IT Assets • Data/Information • Software • Hardware • Facilities • Networks

  5. Risk Factors • Organization • Remote Access • Processing/Complexity • Changes

  6. Threats • Errors and Omissions • Fraud and Theft • Employee Sabotage • Loss of Physical/Infrastructure Support • Malicious Hackers • Malicious Code • Threats to Personal Privacy

  7. Control Types • Management Controls • Operational Controls • Technical Controls

  8. Risk Management • Risk is the possibility an adverse result • Risk management is the process of: • Assessing risk • Taking steps to reduce risk to an acceptable level • Maintaining that level of risk.

  9. Life Cycle • Many models exist for the IT system life cycle. Most contain 5 basic phases: • Initiation • Development/Acquisition • Implementation • Operation • Disposal

  10. Certification & Accreditation • Certification and accreditation provides a form of assurance of the security of the system.

  11. System Security Plan • System security plans provide an overview of the security requirements and describe the controls in place or planned for meeting those requirements. • The plan delineates responsibilities and expected behavior of all individuals who access the system.

  12. System Security Plan • Formal Policy and Procedures • System Security Plan • Rules of Behavior • Security-related Activity Planning

  13. Personnel Security • Many important issues in computer security involve human users, designers, implementers, and managers. • A broad range of security issues relate to how individuals interact with computers, and the access and authorities needed to do their jobs.

  14. Personnel Security • Formal Policy and Procedures • Position Categorization • Personnel Screening • Personnel Termination

  15. Personnel Security • Personnel Transfer • Access Agreements • Third-Party Personnel Security • Personnel Sanctions

  16. Physical and Environmental Protection • Physical security and environmental security are the measures taken to protect systems, buildings, and supporting infrastructures against threats to their physical environment.

  17. Physical & Environmental • Formal Policy and Procedures • Physical Access Authorizations • Physical Access Controls • Access Control for Transmission Medium

  18. Physical & Environmental • Access Control for Display Medium • Monitoring Physical Access • Visitor Control • Access Logs

  19. Physical & Environmental • Power Equipment and Cabling • Emergency Shutoff • Emergency Power & Lighting • Fire Protection

  20. Physical & Environmental • Temperature and Humidity Controls • Water Damage Protection • Delivery and Removal • Alternate Work Site

  21. Production, Input/Output Controls • Many aspects to supporting IT operations. • Topics range from a user help desk to procedures for storing, handling and destroying media.

  22. Production, Input/Output Controls • Formal Policy and Procedures • Media Access • Media Labeling • Media Storage

  23. Production, Input/Output Controls • Media Transport • Media Sanitation and Disposal

  24. Contingency Planning • Contingency planning involves more than planning for a move offsite after disaster destroys a facility. • It also addresses how to keep an organization’s critical functions operating in the event of disruptions, large and small.

  25. Contingency Planning • Formal Policy and Procedures • Contingency Plan • Contingency Training • Contingency Plan Testing

  26. Contingency Planning • Contingency Plan Update • Alternate Storage Sites • Alternate Processing Sites • Telecommunication Services

  27. Contingency Planning • IT System Backup • IT System Recovery and Reconstitution

  28. Hardware/Software Maintenance • Controls to monitor the installation of, and updates to, hardware and software • Controls ensure that the system functions as expected and that a historical record is maintained of changes.

  29. Hardware/Software Maint. • Formal Policy and Procedures • Periodic and Timely Maintenance • Maintenance Tools • Remote Maintenance • Maintenance Personnel

  30. Data Integrity • Data integrity controls are used to protect data from accidental or malicious alteration or destruction • Controls provide assurance that the information meets users’ quality and integrity expectations.

  31. Data Integrity • Formal Policy and Procedures • Flaw Remediation • Malicious Code Protection • IT System Monitoring Tools/Techniques

  32. Data Integrity • Security Alerts and Advisories • Security Functionality Verification • Software and Information Integrity • Spam Protection

  33. Data Integrity • Information Input Restrictions • Accuracy, Completeness, Validity, Authenticity • Error Handling • Information Output Handling, Retention

  34. Security Awareness, Training and Education • People are a critical factor in ensuring the security of computer systems and information resources. • Training and education enhance security by improving awareness of the need to protect resources. • Training develops skills and knowledge so computer users can perform their jobs more securely.

  35. Security Awareness, Training and Education • Formal Policy and Procedures • Security Awareness • Security Training (& Records) • Contacts with Security Groups/Associations

  36. Incident Response Capability • Computer security incidents are adverse events in a computer system or network. • Incidents are becoming more common with far-reaching impact.

  37. Incident Response Capability • Formal Policy and Procedures • Incident Response Training • Incident Response Testing • Incident Handling

  38. Incident Response Capability • Incident Monitoring • Incident Reporting • Incident Response Assistance

  39. Configuration Management • Process for controlling modifications to hardware, firmware, software, and documentation. • Controls ensure that IT systems are protected against improper modifications before, during and after implementation.

  40. Configuration Management • Formal Policy and Procedures • Baseline Configuration and System Component Inventory • Configuration Change Control • Monitoring Configuration Changes

  41. Configuration Management • Access Restrictions for Change • Configuration Settings • Least Functionality

  42. Identification/Authentication • Identification and authentication prevents unauthorized people (or unauthorized processes) from entering an IT system. • Access control usually requires the system to identify and differentiate users.

  43. Identification/Authentication • Formal Policy and Procedures • User Identification and Authentication • Device Identification and Authentication • Identifier & Authenticator Management

  44. Logical Access Controls • Logical access controls are the system-based mechanisms used to designate: • Who (or what) can access a specific system resource • The type of transactions and functions that are permitted.

  45. Logical Access Controls • Formal Policy And Procedures • Account Management • Access Enforcement • Information Flow Enforcement

  46. Logical Access Controls • Separation of Duties • Least Privilege • Unsuccessful Login Attempts • Previous Login Notification

  47. Logical Access Controls • Session Lock • Session Termination • Supervision and Review – Access Control • Permitted Actions without I & A

  48. Logical Access Controls • Remote Access • Wireless Access Restrictions • Access Control - Portable/Mobile Devices • Personally Owned IT Systems

  49. Audit Trails • Audit trails maintain a record of system activity by system processes and by user activity. • Using appropriate tools and procedures, audit trails can provide a means to establish individual accountability, reconstruct events, detect intrusions, and identify problems.

  50. Audit Trails • Formal Policy and Procedures • Auditable Events • Content of Audit Records • Audit Storage Capacity & Retention